IN THE CLAIMS; 



The following is a current listing of claims and will replace all prior versions and listings 
of claims in the application. Please amend the claims as follows: 

1-104. (Canceled) 

105. (Currently Amended) A computer-implemented method comprising : 

selecting an active program on a computer system as code under investigatio n, wherein 
the program is running on the computer system in a manner that permits the program to infect 
the computer system ; and 

successively executing malicious cod e d e t e ction cod e (MCDC) on th e comput e r syst e m, 
wherein the MCDC includ e s each of a first and a second plurality of detection routines, wherein 
said executing includes: 

applying each of the first plurality of detection routines to the code under 
investigation to obtain a corresponding one of a first plurality of results; and 

weighting each of the first plurality of results to obtain a first score indicative 
of whether the code under investigation has characteristics and/or behaviors typically 
associated with valid code; 

applying each of the second plurality of detection routines to the code under 
investigation to obtain a corresponding one of a second plurality of results; 

weighting each of the second plurality of results to obtain a second score 
indicative of whether the code under investigation has characteristics and/or behaviors 
tj^ically associated with malicious code, wherein the second score is obtained 
independently of the first score; and 

upon completing the executing of the first and second plurality of detection routines. 
using the first and/or second scores to categorize the code under investigation with respect to the 
likelihood of the code under investigation compromising the security of the computer system. 

106. (Canceled) 
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107. (Currently Amended) The method of claim 105, further comprising: 

selecting, in turn, each of a plurality of additional active programs on the computer 
system as code under investigatio n, wherein each of the plurality of additional active programs is 
running on the computer system in a manner that permits infection of the computer system ; and 

successively executing said MCDC each of the first and second plurality of detection 
routines with respect to said selected code under investigation. 

108. (Canceled) 

109. (Previously Presented) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect remote control software. 

110. (Previously Presented) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect a keystroke logger. 

111. (Previously Presented) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect spyware. 

112. (Previously Presented) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect a worm. 

113. (Previously Presented) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect a virus. 

1 14. (Previously Presented) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect monitoring software. 
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115. (Currently Amended) A computer-implemented method comprising : 

selecting code currently running on a computer system as code under investigation, 
wherein said code is running in a manner that permits infection of said computer system; and 

executin g, in tum. malicious oodo dotootion oodo (MCDC) on tho computer system, 
wherein the MCDC includes each of a first and a second plurality of detection routines on the 

computer system , wherein said executing includes: 

applying each of the first plurality of detection routines to the code under 
investigation to obtain a corresponding one of a first plurality of results; 

weighting each of the first plurality of results to obtain a first score indicative 
of whether the code under investigation has characteristics and/or behaviors typically 
associated with valid code; 

applying each of the second plurality of detection routines to the code under 
investigation to obtain a corresponding one of a second plurality of results; and 

weighting each of the second plurality of results to obtain a second score 
indicative of whether the code under investigation has characteristics and/or behaviors 
typically associated with malicious code, wherein the second score is independent of 

the first score; and 

upon executing each of the first and second plurality of detection routines: 

using the first and/or second scores to categorize the code under investigation into 
one of a plurality of categories, including first and second categories indicative of valid 
code and malicious code, respectively. 

116. (Canceled) 

117. (Previously Presented) The method of claim 1 15, wherein at least some of the code 
associated with the selected active code is running in kernel mode. 

118. (Currently Amended) The method of claim 115, fiirther comprising: 
selecting additional active code as code under investigation; and 

executing each of the first and second pluralities of detection routing s aid MCDC with respect to 
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said selected code under investigation. 



119-126. (Canceled) 

127. (Currently Amended) A computer system comprising: 
a processor; and 

a memory storing program instructions executable by the processor to: 

select a program currently running on a computer system as code under 
investigation, wherein said program is running in a manner that permits infection of said 
computer system; and 

successively execute each of mahcious cod e d e t e ction cod e (MCDC^ on th e 
comput e r syst e m, wh e r e in th e MCDC includ e s a first and a second plurality of detection 
routines on the computer system , including: 

applying each of the first plurality of detection routines to the code 
under investigation to obtain a corresponding one of a first plurality of results; 

weighting each of the first plurality of results to obtain a first score 

indicative of the extent to which the code under investigation has 
characteristics and/or behaviors typically associated with valid code; 

applying each of the second plurality of detection routines to the code 
under investigation to obtain a corresponding one of a second plurality of 
results; and 

weighting each of the second plurality of results to obtain a second 
score indicative of the extent to which the code under investigation has 
characteristics and/or behaviors typically associated with malicious code; and 

upon completing execution of the first and second plurality of detection routines. 
use[[ing]] the first and/or second scores to make a determination dotormino whether the 
code under investigation represents a security threat to the computer system. 
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128. (Currently Amended) A computer-readable memory medium, including program 
instructions that are computer executable by a computer system to: 

select a program currently running on the computer system as code under investigation, 
wherein said program is running in a manner that permits infection of said computer system; and 

successively execute each of malicious code d e t e ction cod e (MCDC) on th e comput e r 

system, wherein the MCDC includes a first and a second plurality of detection routines on the 
computer system , and wherein execution of the MCDC include[[es]]ing: 

applying each of the first plurality of detection routines to the code under 
investigation to obtain a corresponding one of a first plurality of results, wherein the 
first plurality of detection routines test for characteristics and/or behaviors typically 
associated with valid code; 

weighting and combining each of the first plurality of results to obtain a first 
composite score; 

applying each of the second plurality of detection routines to the code under 
investigation to obtain a corresponding one of a second plurality of results, wherein 
the first plurality of detection routines test for characteristics and/or behaviors 
typically associated with malicious code; and 

weighting and combining each of the second plurality of results to obtain a 
second composite score; and 

upon executing each of the first and second plurality of detection routines. use[[ing]] the 
first and/or second composite scores to make a determination dotormino whether the code under 

investigation is malicious code. 

129. (Previously Presented) The method of claim 105, fiirther comprising: 

determining from the first and second scores that the code under investigation is 
malicious code. 

130. (Previously Presented) The method of claim 129, wherein the malicious code does not 
have a known signature. 
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131. (Previously Presented) The method of claim 1 05 , wherein the first plurality of detection 
routines includes routines that examine the behavior of the code under investigation. 

132. (Previously Presented) The method of claim 131, wherein the second plurality of 
detection routines includes routines that examine the behavior of the code under investigation. 

133. (Previously Presented) The method of claim 105, wherein the malicious code is a 
previously unknown type of malicious code. 

134. (Previously Presented) The method of claim 129, wherein the determination that the 
code under investigation is malicious code is based on the first score not exceeding a valid 
code threshold value and the second score exceeding a malicious code threshold value. 

135. (Currently Amended) The method of claim 105, wherein the determination is made 
further comprising : 

dotormining from the first and second scores that the code under investigation is valid 

code. 

136. (Currently Amended) The method of claim 105455-, wherein the determination is made 
that the code under investigation is valid code , wherein the determination is made based on the 
first score exceeding a valid code threshold value and regardless of the second score . 

137. (Ciirrently Amended) The method of claim 105, wherein the determination is made that 
the code under investigation is valid code, wherein the determination is made based on the first 
score exceeding a valid code threshold and the second score not exceeding a malicious code 
threshold further comprising: 

dotormining from the first and socond scoros that tho codo undor investigation is 
suspicious cod e , wh e r e in suspicious cod e has not b ee n d e t e rmin e d to b e e ith e r valid or 
malicious cod e. 

138. (Ciirrently Amended) The method of claim 105^ -37. fiirther comprising: 

determining from the first and second scores that the code under investigation is 
suspicious code, wherein suspicious code has not been determined to be either valid or 
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malicious code wherein the code under investigation is determined to be suspicious cod e based 
on the first and second scores being similar . 

139. (Currently Amended) The system of claim 127, wherein the further comprising program 
instructions are executable by the processor to: 

determine from the first and second scores that the code under investigation is malicious code. 

140. (Previously Presented) The system of claim 139, wherein the malicious code is a 
previously unknown type of malicious code. 

141. (Previously Presented) The system of claim 139, wherein the determination that the 
code under investigation is malicious code is based on the first score not exceeding a valid 
code threshold value and the second score exceeding a malicious code threshold value. 

142. (Currently Amended) The system of claim 127, wherein the further comprising program 
instructions arc executable by the processor to: 

determine from the first and second scores that the code under investigation is valid 

code. 

143. (Currently Amended) The system of claim 142, wherein the determination that the code 
under investigation is valid code is based on the first score exceeding a valid code threshold 

value and regardless of the second score . 

144. (Previously Presented) The system of claim 127, fiirther comprising program 
instructions executable by the processor to: 

determine from the first and second scores that the code under investigation is 
suspicious code. 

145. (Ciirrently Amended) The memory medium of claim 128, wherein the furth e r 
comprising program instructions are executable by the computer svstem to: 

determine from the first and second scores that the code under investigation is malicious code. 
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146. (Previously Presented) The memory medium of claim 145, wherein the malicious code 
is a previously unknown type of malicious code. 

147. (Currently Amended) The memory medium of claim 128, wherein the further 
comprising program instructions are executable by the computer system to: 

determine from the first and second scores that the code under investigation is valid 

code. 

148. (Currently Amended) The memory medium of claim 147, wherein the determination 
that the code under investigation is valid code is based on the first score exceeding a valid code 
threshold value and regardless of the second score . 

149. (Previously Presented) The memory medium of claim 128, further comprising program 
instructions executable to: 

determine from the first and second scores that the code under investigation is 
suspicious code. 

150. (Previously Presented) The memory medium of claim 145, wherein the determination 

that the code under investigation is malicious code is based on the first score not exceeding a 
valid code threshold value and the second score exceeding a malicious code threshold value. 

151. (Previously Presented) The method of claim 1 05, wherein at least some of the code 
associated with the selected active program is running in kernel mode. 



Page 9 of 17 



152. (Currently Amended) One or more computer-readable media storing program instructions 
executable on a computer system to: 

while a first program is running on the computer system in a manner that permits the first 
program to infect the computer system: 

successively execute each of a first and second plurality of detection routines to 
gather information about the first program, including behavioral information about the first 
program, wherein the first plurality of detection routines are executable to detect behavior 
indicative of valid code, and wherein the second plurality of detection routines are executable to 
detect behavior indicative of malicious code: 

upon completing execution of each of the first and second plurality of detection 

routines: 

use the results of the first plurality of detection routines to determine a 
first value indicative of the likelihood that the first program is valid code charact e ristics and/or 
behaviors e xhibit e d by a first program running on th e comput e r system ; 

use the results of the second plurality of detection routines to 
indopondontly determine a second value indicative of the likelihood that the first program is 
malicious code charact e ristics and/or b e haviors e xhibit e d by th e first program ; 

based on comparisons involving use the first and/or second values[[,]] to 
determine whether the first program is a security threat to the computer system. 

153. (Previously Presented) The computer-readable media of claim 152, wherein the program 
instructions are executable to determine whether the first program is a security threat to the 
computer system based on a first comparison between the first value and a valid code threshold 
value and also based on a second comparison between the second value and a malicious code 
threshold value. 

154. (Previously Presented) The computer-readable media of claim 152, wherein the program 
instructions are executable to determine that the first program is a security threat to the computer 
system based on the first value not exceeding a valid code threshold value and on the second 

value exceeding a malicious code threshold value. 
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155. (Currently Amended) The computer-readable media of claim 152, wherein the program 
instructions are executable to determine that the first program is not a security threat to the 
computer system based on the first value exceeding a valid code threshold value and regardless 
of the second value . 

156. (Previously Presented) The computer-readable media of claim 152, wherein the program 
instructions are executable to determine that the first program is not a security threat to the 
computer system based on the first value exceeding a valid code threshold value and on the 
second value not exceeding a malicious code threshold value. 

157-158. (Canceled) 
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159. (Currently Amended) A method, comprising : 

while a first program is running on a computer system in a manner that permits the first 
program to infect the computer system, successively executing each of a first and second 
plurality of detection routines, wherein the first plurality of detection routines are executable to 
determine behaviors of the first program that are indicative of valid code, and wherein the second 
plurality of detection routines are executable to determine behaviors of the first program that are 
indicative of mahcious code: 

upon completing the executing of the first and second plurality of detection routines: 

using results of the first plurality of detection routines to compute[[ing]] a first 
score indicative of the likelihood that the first program is valid code charact e ristics and/or 
behaviors exhibited by a first program running on a computer system ; 

using results of the second plurality of detection routines to compute[[ing]] a 
second value indicative of the likelihood that the first program is malicious code charact e ristics 
and/or behaviors e xhibit e d by the first program ; 

using the computed first and/or second values to categorize the first program as to 
the likelihood of the first program compromising the security of the computer system. 

160-161. (Canceled) 

162. (Previously Presented) The method of claim 159, wherein said using includes performing 
comparisons involving the first and second values. 

163. (Previously Presented) The method of claim 162, wherein said first program is 
categorized based on a comparison between the first score and a valid code threshold. 

164. (Currently Amended) The method of claim 163, wherein the first program is categorized 
as not being a security threat based on the first score exceeding the valid code threshold and 

regardless of the second score . 

165. (Previously Presented) The method of claim 162, wherein said first program is 
categorized based on a comparison between the first score and a valid code threshold and also on 
a comparison between the second score and a malicious code threshold. 
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166. (Previously Presented) The method of claim 165, wherein the first program is categorized 
as not being a security threat based on the first score exceeding the valid code threshold and the 
second score not exceeding the malicious code threshold. 

167. (Canceled) 
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